Commit graph

568 commits

Author SHA1 Message Date
Markus Bauer
c0fb45e79e
Fix potential CSRF circumvention with custom HTTP methods (#76)
* Backported patch, fixing potential CSRF circumvention with custom HTTP methods.

Upstream: 0f818a23a8

* Fix unit tests for SecurityComponent

---------

Co-authored-by: Markus Bauer <markus.bauer@cispa.saarland>
2024-07-24 18:13:57 +02:00
Koji Tanaka
40d5f32516 test: Fix assertion of SecurityComponentTest::testCsrfNonceVacuum() 2023-01-11 22:45:29 +01:00
Koji Tanaka
b46b6c758f test: Replace deprecated attributeEqualTo() 2023-01-11 22:45:29 +01:00
Koji Tanaka
2a7c06e16f test: Replace PHPUnit's class name in tests
Co-authored-by: Kenshin Okinaka <okinakak@yahoo.co.jp>
2023-01-11 22:45:29 +01:00
Koji Tanaka
75437a4a85 test: Replace deprecated setExpectedException() 2023-01-11 22:45:29 +01:00
Koji Tanaka
b1417587ad test: Replace deprecated @expectedException* to $this->expectException*() 2023-01-11 22:45:29 +01:00
Koji Tanaka
fe34a8551c test: Replace deprecated @expectedException PHPUnit_Framework_Error 2023-01-11 22:45:29 +01:00
Koji Tanaka
c04692f76c test: Replace deprecated @expectedException* to expectWarning*()/expectNotice*() 2023-01-11 22:45:29 +01:00
Koji Tanaka
dfc1c56625 test: Replace assertContains() with assertStringContainsString() for text assertion.
assertContains() can no longer be used for text containment assertion.
2023-01-11 22:45:29 +01:00
Koji Tanaka
6529d5a308 test: Replace deprecated assertNotRegExp() with assertDoesNotMatchRegularExpression().
Co-authored-by: Kenshin Okinaka <okinakak@yahoo.co.jp>
2023-01-11 22:45:29 +01:00
Koji Tanaka
883ce8041e test: Replace deprecated assertRegExp() with assertMatchesRegularExpression().
Co-authored-by: Kenshin Okinaka <okinakak@yahoo.co.jp>
2023-01-11 22:45:29 +01:00
Koji Tanaka
927b57fa14 test: Add App::uses() missing in the test code. 2023-01-11 22:45:29 +01:00
Koji Tanaka
75716f76bc test: Add return type declarations to overridden methods of TestCase classes. 2023-01-11 22:45:29 +01:00
Mark van Driel
d4c351563e Test to prove issue with empty body for json 2019-08-19 14:52:46 +02:00
bancer
4db38f26ca Improve unit test 2019-03-18 12:43:26 +01:00
bancer
2fe0af9fa9 Improve docs 2019-03-18 11:52:35 +01:00
bancer
534d9362e4 Add extra unit tests 2019-03-18 11:50:13 +01:00
Koji Tanaka
e1897a8498 Pass PaginatorComponentTest::testPaginateExtraParams() 2018-01-17 23:27:20 +09:00
Koji Tanaka
701519c637 Execute CakeSession::destroy() on a tearDown with implicit use session test 2018-01-16 00:47:34 +09:00
Mark Story
3bf93b7f76
Merge pull request #11526 from cakephp/post-conditions
Make postConditions() less permissive.
2017-12-15 14:36:38 -05:00
mark_story
340059be15 Check model names for bad characters as well. 2017-12-13 00:01:09 -05:00
mark_story
a9618f67f7 Use a permitted list instead of a ban list.
This should be safer as we are more confident on what is coming in.
2017-12-13 00:01:05 -05:00
mark_story
f66dec8a96 Make postConditions() less permissive.
We were notified by `ooooooo_q` that postConditions() is vulnerable to
SQL injection if used without SecurityComponent tampering prevention.

This change attempts to make postConditions() safer by exploding in
unsafe scenarios.
2017-12-10 21:44:47 -05:00
db-bogdan
e824346cca extra fix 2017-11-28 11:43:55 +02:00
db-bogdan
94e06dfeb3 add unit test 2017-11-28 11:31:46 +02:00
chinpei215
19bbb7da17 Simplify CookieComponent::read()
Also, this commit fixes an issue of when the second level key is empty.
Previously, read('foo.0') returned incorrect result.
2017-10-16 21:01:19 +09:00
chinpei215
bbea91090d Fix CookieComponent::delete() not working for deep children 2017-10-16 20:55:00 +09:00
chinpei215
959f45a6c6 Fix fatal error thrown when replacing scalar with array
Refs #11280
2017-10-06 13:43:32 +09:00
Jeremy Harris
f9f06e68b1
Stacking messages in SessionComponent::setFlash 2017-08-30 10:06:56 -05:00
mark_story
aa6770fa45 Merge branch '2.x' into 2.next 2017-07-22 14:59:41 -04:00
Val Bancer
85e0ebd7fd more unit tests added 2017-07-05 23:22:58 +02:00
Val Bancer
50334679d6 added a unit test 2017-07-05 22:40:41 +02:00
Val Bancer
31fd4217b1 more PaginatorComponent unit tests 2017-07-04 23:01:17 +02:00
mark_story
aaa37fa809 Merge branch '2.next' of github.com:cakephp/cakephp into 2.next 2017-06-26 21:51:55 -04:00
mark_story
2032fef772 Merge branch '2.x' into 2.next 2017-06-26 21:51:41 -04:00
Mark Story
52790443e8 Merge pull request #9705 from CakeDC/feature/backport-paginate-multiple-queries
2.next - Backport multiple paginators
2017-06-14 21:41:13 -04:00
Mark Story
8289b367f9 Merge pull request #10698 from lucasferreira/2.next
Cake 2.x - Some fix into Paginator component for order / sort classic sintax
2017-06-14 00:13:00 -04:00
Marc Würth
da8414e13b Use HTTPS for the opensource.org MIT license URL 2017-06-11 00:23:22 +02:00
Marc Würth
04efc7ba50 Use HTTPS for the book.cakephp.org URL 2017-06-11 00:15:36 +02:00
Marc Würth
10b89b51a9 Use HTTPS for the cakefoundation.org URL 2017-06-11 00:10:59 +02:00
Marc Würth
17314baa15 Use HTTPS for the cakephp.org URL 2017-06-10 23:40:28 +02:00
Lucas Ferreira
3258199193 Remove personal comments for pull request 2017-05-31 08:33:41 -03:00
mark_story
cf679a3233 Merge branch '2.x' into 2.next 2017-05-27 21:47:22 -04:00
Lucas Ferreira
ee1980b8f5 - Tests for array order syntax fix 2017-05-26 18:36:50 -03:00
chinpei215
a97bd234ee Fix _validatePost returns true when empty form is submitted
Backport of #10625
2017-05-06 21:59:29 +09:00
mark_story
5e35064a0b Read basic auth credentials from Authorization header
Merge branch 'issue-9365' into 2.x

Refs #9365
2017-04-28 21:49:47 -04:00
mark_story
275385d676 Add test covering basic auth reading from headers.
In some FastCGI setups basic auth values will only be present in the
header. Fallback to reading that value if the PHP_AUTH super globals are
empty.

Refs #9365
2017-04-28 21:49:27 -04:00
chinpei215
31a1837c1d Merge branch '2.x' into 2.next
Conflicts:
	lib/Cake/Test/Case/View/Helper/FlashHelperTest.php
	lib/Cake/VERSION.txt
	lib/Cake/View/Helper/FlashHelper.php
2017-03-25 17:12:28 +09:00
mark_story
ccc9006620 Unset the active user data on logout.
When using stateless authentication the current user should be cleared
after logout to maintain consistency with session based authentication.

Refs #10422
2017-03-16 11:31:20 -04:00
mark_story
837741db66 Merge branch '2.x' into 2.next 2016-12-13 22:48:44 -05:00